CVE-2024-47869

Name of the Vulnerable Software and Affected Versions Gradio versions prior to 4.44

Description This issue involves a timing attack in the way Gradio compares hashes for the analytics dashboard function. Since the comparison is not done in constant time, an attacker could exploit this by measuring the response time of different requests to infer the correct hash byte-by-byte. This can lead to unauthorized access to the analytics dashboard, especially if the attacker can repeatedly query the system with different keys.

Recommendations To mitigate this issue, upgrade to Gradio version 4.44 or later. As a temporary workaround, developers can manually patch the analytics dashboard dashboard to use a constant-time comparison function for comparing sensitive values, such as hashes. Alternatively, access to the analytics dashboard can be disabled to minimize the risk of exploitation.